« Previous Next »

Thread: questions about reverse proxy SSL features

Last post 07-27-2009 1:47 PM by guizmo974. 0 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (1 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 07-27-2009, 1:47 PM

    • guizmo974
    • Not Ranked
    • Joined on 07-27-2009, 12:56 PM
    • Posts 1

    questions about reverse proxy SSL features

    Reply Contact

     Hi,

     I would like to know if with IIS 7 + ARR + URL rewrite i can handle some features i need:

    I would like to publish some site from severals hosts (mix apache and IIS) through IIS reverse proxy and SSL:

    • Publish only the IIS reverse proxy to the public network with NATed port 443.
    • Web server are on private network, request are forwarded to the right server by some private URLs. (URL rewrite ?)
    • reverse proxy handle SSL for all the server behind (SSL termination). request between reverse proxy and web server flow through HTTP. one wildcard domain cert will be use and some DNS alias on the same domain.
    • Some web server may require basic form authentification with apache. We would like to be able as much as possible to run our web server behind reverse proxy with no modification.

    It seems right but i have one special application with SSL mutual authentification with client cert. The application use it's own CA with selfsigned cert. Behavior of the application depend on client cert.

     It seems that this application can run behind an apache reverse proxy with some modules (mod_ssl among). One problem is certificate access

    sample apache config available for the app: 

     Virual host config
        SSLEngine on
        SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
        SSLCertificateFile      /some/path/file.pem
        SSLCertificateKeyFile   /some/path/file.pem
        SSLCertificateChainFile /some/path/file.pem
        SSLCACertificateFile    /some/path/file.pem
        SSLCARevocationFile     /some/path/file.pem
        SSLVerifyClient optional 
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

     This config is for apache access to the needed cert from the application. How to handle a config like this in IIS ?

     Next problem is that i need to pass some custom header to the backend server like this:

    Sample apache config available for the app:

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

     From my reading it seem that IIS reverse proxy can handle the features we need (and we want to use it for a bunch of reason). But is the mutual SSL auth with heterogeneous system possible ?

    Thanks in advance for your answers.

    Regards 

     
    Tags:
Page 1 of 1 (1 items)
Microsoft Communities